Privacy - Infected Blood Compensation Authority

This notice sets out how we will use your personal data, and your rights. It is made under Articles 13 and/or 14 of the UK General Data Protection Regulation (UK GDPR).

What data we collect and why we need it

To administer the infected blood compensation scheme, and assist the Infected Blood Support Schemes we use the following data categories:

Personal information:

Personal information is any information that can be used to identify a living person. For example, an individual’s email address, telephone number, or NHS number.

We collect and use the following personal information:

Contact details;
National Insurance (NI) number;
Date of Birth;
Bank account details;
Details of payments received;
Recording of calls;
Probate documentation;
Personal details of family members such as dependent children, and next of kin.

More sensitive information:

The UK GDPR gives extra protection to more sensitive information known as ‘special category data’. Information concerning health and care falls into this category and needs to be treated with greater care. Data that relates to criminal offences is also considered particularly sensitive.

We collect and use the following more sensitive information (including special category data):

Medical data (including conditions, details of treatment, place of infection);
Personal identity documentation which may infer particular characteristics to uniquely identify an individual, such as, passport, driving licence, marriage certificate;
Personal information which was provided voluntarily by you in the event you participated in/gave evidence to the Infected Blood Inquiry (IBI) and waived your anonymity in the process;
In some cases, we may process data about racial or ethnic origin, sexuality or criminal convictions data where it is held in medical records or applications.

To establish, exercise or defend legal claims and appeals with HM Courts & Tribunals Service (HMCTS):

The use of this data must be relevant and proportionate, and we will only share data that is necessary to comply with our legal obligations, and specifically where an appeal against an IBCA decision has been lodged.

For security purposes:

IP addresses; activity logs, CCTV video footage, records of visitors to our buildings, records of security passes issued; and access control logs.

To detect and prevent fraud:

Any data submitted in an application may be used to detect, prevent and investigate fraud against IBCA.

To comply with our obligations under the Public Records Act 1958, the Freedom of Information Act 2000, and the data protection legislation:

Name, address, email address, your request, and other personal data if you volunteer it. In responding to data subject requests we may process identity verification documents and any data on you held by IBCA.

For managing correspondence:

Name, address, email address, any concerns raised in your correspondence, any other information you volunteer about yourself. We may also process special category data or data about criminal convictions, if you volunteer such information.

For maintaining contact details:

Name, address, email address, job title, phone number, signature, and employer. Where we have consulted you for your views, the information may include your opinions.

For social media activity:

Where you have engaged with IBCA through a social media platform, we may process names, email addresses, photographs, videos, social media handles, opinions, and any other data volunteered, including sensitive personal data.

How do we keep your data secure

We use appropriate technical and organisational measures to ensure the ‘confidentiality, integrity and availability’ of our systems and services and the personal data we process within them.

Only authorised personnel, on a strictly need to know basis, have access to your personal data. This allows IBCA to securely administer your claim.

Who do we share your data with

For all purposes:

As personal data will be stored on our IT infrastructure, it will also be shared with our data processors, who provide email and document management and storage services. We receive IT services from the Cabinet Office, who process data on our instructions.

To administer the infected blood compensation scheme, and assist the IB Support Schemes:

We will share data collected from Alliance House Organisations (AHO) with the Infected Blood Support Schemes (IBSS) in order to facilitate payments.

To verify bank accounts:

We will share data with Experian, a Credit Reference Agency (CRA) to verify that bank accounts/sort codes are correct and associated with the supplied named individual. We only share the minimum data necessary to verify an account, this includes, name, address, sort code, and bank account number.

To make compensation payments:

We will share data with the Department of Works and Pensions (DWP). We only share the minimum data necessary to administer compensation payments, this includes, National Insurance number, name, bank account number and sort code, building society roll number, net amount, payee name.

To provide independent legal advice:

We will share your data with one of our approved law firms where you have requested independent legal advice.

To establish, exercise or defend legal claims and appeals with HMCTS:

To develop and improve our services:

Your data may be shared with our research partners, and suppliers who provide survey and consultation management services.

For security purposes:

Data may be shared with our security and estates suppliers. In the case of an incident data may be shared with law enforcement organisations.

To detect and prevent fraud:

Your data may be shared with law enforcement organisations, and other government departments in order to verify information you supply to us.

To comply with our obligations under the Public Records Act 1958, the Freedom of Information Act 2000, and the data protection legislation:

Data we hold may be selected for transfer and permanent preservation at The National Archives, but only where doing so would not breach your data protection privacy rights.

For managing correspondence:

Your information may be shared with the Infected Blood Support Schemes, the Alliance House organisations, other public bodies, or the devolved administrations, where it is necessary and in order to provide a full answer to you. Your information may be shared with your MP, where they are writing on your behalf.

For maintaining contact details:

Your personal data will be shared by us with officials in other public bodies. This would be to assist in the development of policy, or for operational reasons.

For social media activity:

Any personal data shared on social media platforms will be shared with those social media providers. Any personal data shared on social media platforms is made public, unless privacy settings have been used.

What is our legal basis of processing your data

The legal basis for processing your personal data is:

To administer the infected blood compensation scheme, and assist the IB Support Schemes:

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller as set out by the Victims and Prisoners Act 2024 (Article 6(1)(e) UK GDPR).

Our legal basis for processing special category health and sexuality data, and criminal convictions data, is that the processing is necessary for reasons of substantial public interest for the exercise of a function conferred on a person by an enactment or rule of law (para 6, sch.1, Data Protection Act 2018).

To establish, exercise or defend legal claims and appeals with HMCTS:

To develop and improve our services:

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6(1)(e) UK GDPR).

For security purposes:

It is necessary for the purposes of our legitimate interests (Article 6(1)(f) UK GDPR).

To detect and prevent fraud:

It is necessary for the purposes of our legitimate interests (Article 6(1)(f) UK GDPR).

To comply with our obligations under the Public Records Act 1958, the Freedom of Information Act 2000, and the data protection legislation:

In relation to responding to freedom of information and data subject requests, the legal basis for processing your personal data is that it is necessary to comply with a legal obligation placed on us as the data controller (Article 6(1)(c) UK GDPR).

Where special category data or data about criminal convictions is processed in relation to a request, our legal basis for processing it is that the processing is necessary for reasons of substantial public interest for the exercise of a function conferred on a person by an enactment or rule of law (para 6, sch.1, Data Protection Act 2018).

For managing correspondence:

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller (Article 6(1)(e) UK GDPR). In this case, that is being accountable and transparent about the functions and policies for which IBCA is responsible.

Where special category data or data about criminal convictions is volunteered by a correspondent, our legal basis for processing it is that the processing is necessary for reasons of substantial public interest for the exercise of a function conferred on a person by an enactment or rule of law (para 6, sch.1, Data Protection Act 2018).

For maintaining contact details:

The legal basis for processing your personal data is that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller (Article 6(1)(e) UK GDPR).

For social media activity:

Where we post personal data relating to IBCA activity, our legal basis is that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6(1)(e) UK GDPR). Where we process personal data generated by social media users, the legal basis for processing that personal data is because the user consents to us doing so.

The legal basis for processing any sensitive personal data or any data on criminal convictions is because the social media user consents to us doing so, or because it relates to personal data which are manifestly made public by the social media user.

How long do we keep your data

Case files will be kept by us for 8 years, unless specified otherwise below. This period will run from the point of a case closing, for example when a final payment is made.

Security purposes:

CCTV footage will be retained for 61 days. Visitor records are kept for 18 months.

To detect and prevent fraud:

For the length of our investigation, and any subsequent investigation or prosecution. Payee and transaction details may be kept indefinitely.

To comply with our obligations under the Public Records Act 1958, the Freedom of Information Act 2000, and the data protection legislation:

Personal data held in relation to FOI and data subject requests and Internal reviews will be kept by the department for up to two years from the date the case has been closed on our system, unless the case has escalated to the Information Commissioner’s Office (ICO). In the event of the latter, we shall retain your data for three years from the date the ICO case has been closed on our system in order to maintain an appropriate record in case of further appeals.

For maintaining contact details:

Your personal data will be kept by us for the purposes of contacting individuals in particular roles, and once they leave those roles the information will be updated and or deleted. This should take place at least once a year.

For social media activity:

Our social media posts will be retained indefinitely as part of the historical record. Data published on social media platforms by end users will remain until it is deleted by the social media user.

Where personal data have not been obtained from you

If you are an applicant or the representative of an applicant, we may have obtained your data from the Alliance House organisations or one of the Infected Blood Support Schemes.

We may have obtained personal information which was provided voluntarily by you in the event you participated in/gave evidence to the Infected Blood Inquiry (IBI) and waived your anonymity in the process.

We may have obtained personal information from an approved law firm where you have requested independent legal advice.

We may also have obtained data from another government department in order to verify information you have supplied to us, or on your behalf in order to satisfy scheme eligibility criteria.

With regard to correspondence, where we did not receive your personal data from you, it was received from your MP, from another person writing in on your behalf, or from another correspondent.

Your data protection rights

Which lawful basis for processing we rely on may affect your data protection rights which are in brief set out below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:

Your right of access - You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for. You can read more about this right here.
Your right to rectification - You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete. You can read more about this right here.
Your right to erasure - You have the right to ask us to delete your personal information. You can read more about this right here.
Your right to restriction of processing - You have the right to ask us to limit how we can use your personal information. You can read more about this right here.
Your right to object to processing - You have the right to object to the processing of your personal data. You can read more about this right here.

If you make a request, we must respond to you without undue delay and in any event within one month.

To make a data protection rights request, please contact us using the contact details at the bottom of this privacy notice.

International transfers

As your personal data is stored on our IT infrastructure, and shared with our data processors, it may be transferred and stored securely outside the UK. Where that is the case it will be subject to equivalent legal protection through an adequacy decision, or reliance on a UK International Data Transfer Agreement.

Complaints

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, or 0303 123 1113, or icocasework@ico.org.uk. Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

Contact details

The data controller for your personal data is the Infected Blood Compensation Authority. The contact details for the data controller are: Infected Blood Compensation Authority (IBCA), PO Box 384, Newcastle upon Tyne, NE98 1XY, or ibca.datagov@ibca.org.uk.

The contact details for the data controller’s Data Protection Officer are: dpo@cabinetoffice.gov.uk.

The Data Protection Officer provides independent advice and monitoring of the Infected Blood Compensation Authority’s use of personal information.